CVE-2024-34068 in Wings
Summary
by MITRE • 05/03/2024
Pterodactyl wings is the server control plane for Pterodactyl Panel. An authenticated user who has access to a game server is able to bypass the previously implemented access control (GHSA-6rg3-8h8x-5xfv) that prevents accessing internal endpoints of the node hosting Wings in the pull endpoint. This would allow malicious users to potentially access resources on local networks that would otherwise be inaccessible. This issue has been addressed in version 1.11.2 and users are advised to upgrade. Users unable to upgrade may enable the `api.disable_remote_download` option as a workaround.
Be aware that VulDB is the high quality source for vulnerability data.
Analysis
by VulDB Data Team • 02/21/2025
The vulnerability CVE-2024-34068 affects Pterodactyl Wings, which serves as the server control plane for the Pterodactyl Panel. This represents a critical access control bypass issue that undermines the security model designed to protect internal network resources. The vulnerability specifically targets the pull endpoint functionality that manages communication between the panel and the Wings service running on the node. The flaw allows authenticated users with access to game servers to circumvent previously implemented security controls that were intended to prevent access to internal endpoints of the node hosting Wings. This represents a regression in security posture since a similar issue was previously addressed with the GHSA-6rg3-8h8x-5xfv vulnerability fix.
The technical implementation of this vulnerability stems from insufficient validation of access controls within the pull endpoint handler. When authenticated users make requests to the pull endpoint, the system fails to properly verify that the requesting user has appropriate authorization to access internal node resources. This misconfiguration allows malicious actors to exploit the existing access control mechanisms and gain unauthorized access to local network resources that should remain isolated from external user interactions. The vulnerability essentially creates an attack vector that enables privilege escalation through the existing authentication system, leveraging legitimate user credentials to access resources that should be restricted to administrative or system-level access only.
From an operational impact perspective, this vulnerability exposes organizations running Pterodactyl services to significant network security risks. Malicious users could potentially access internal network services, databases, or other sensitive resources that are typically isolated from direct user access. The attack surface expands dramatically since the vulnerability allows access to resources that are normally protected by network segmentation and access controls. This could result in data exfiltration, service disruption, or further lateral movement within the network infrastructure. The impact is particularly concerning for organizations that rely on Pterodactyl for hosting game servers or other network services where network isolation is critical for maintaining security boundaries.
The mitigation strategy involves upgrading to version 1.11.2 which contains the necessary security patches to address the access control bypass. Organizations that cannot immediately upgrade should implement the workaround by enabling the `api.disable_remote_download` option in their configuration. This temporary solution restricts the remote download functionality that contributes to the vulnerability. The vulnerability aligns with CWE-284 Access Control Issues, specifically targeting improper access control mechanisms that allow unauthorized access to protected resources. From an ATT&CK framework perspective, this vulnerability maps to techniques involving privilege escalation and lateral movement through compromised user accounts, potentially enabling adversaries to access internal network resources that would otherwise be protected by proper access controls. Organizations should also consider implementing additional monitoring and logging around the affected endpoints to detect potential exploitation attempts.